A packaged app is an Open Web App that has all of its resources (HTML, CSS, JavaScript, app manifest, and so on) contained in a zip file, instead of having its resources on a Web server. This article provides an introduction to packaged apps and links to everything you need to know about packaged apps from a developer standpoint.

A packaged app is zip file that contains all the resources that enable an Open Web App to function, along with an app manifest in the zip's root directory. The app manifest provides details about the app such as its description, icons used to identify the installed app and such like. The package is then used to install the app to Firefox OS devices, Android devices and desktops. Once installed the app runs on the device, but is still able to access resources on the Web, such as a database on a Web server.

There are three types of packaged apps: web app, privileged app and certified app. While packaged apps can be used to deliver any type of Open Web App, privileged and certified apps are digitally signed to enable the use of privileged and certified APIs. Privileged apps are signed as part of the Marketplace review process, while certified apps are signed by device manufacturers or operators.

In addition to their ability to use privileged and certified APIs, packaged apps offer users a faster first start response as all the of the app's resources are available on the device after installation.These feature makes packaged apps the recommended approach for delivering Open Web Apps to Firefox OS devices, Android devices and desktops.

Note: Currently the Firefox Marketplace supports web and privileged packaged apps. In addition, Firefox Marketplace supports paid packaged apps for Firefox OS only and free packaged apps for Firefox OS, Firefox for Android and Firefox for Desktop. Support for paid apps on all platforms is under development.

There are three types of packaged apps: web apps, privileged apps and certified app. Each type of packaged app corresponds to a level of the App Security model implemented in Firefox OS. This section provides more information on each.

Web app

A web app is one that doesn't make use of privileged or certified APIs. When submitted to Marketplace the app's package is signed, but the special authentication process used for privileged or certified apps isn't performed. Web apps therefore cannot use privileged or certified APIs. These apps are not subject to the Content Security Policies (CSPs) required for privileged and certified apps.

This type of packaged app doesn't require the type field in its manifest.webapp file, because the default value for type (web) is correct.

Web apps may be self-published or distributed through the Firefox Marketplace. Web apps can also be delivered using the Hosted app mechanism.

Privileged app

A privileged app is one that makes use of privileged APIs and can be considered as the equivalent of a native app on platforms such as iOS and Android. When submitted to the Firefox Marketplace, privileged apps are approved using a special process. This process gives users of the app a level of assurance that the app has been carefully reviewed for potential security, privacy and capability issues.

To specify that an app is a privileged app, add the type field to its manifest.webapp file and set it to privileged. Every privileged API your app needs to access must be added to the permissions field in the app's manifest.

Firefox OS and the Web runtimes for Android and desktops enforces the following CSP for privileged apps:

Privileged apps may be distributed through the Firefox Marketplace only.

Certified app

Certified apps are not generally available to third-party developers and aren't distributed through the Firefox Marketplace. The long term goal for the APIs covered by certification is to harden then so they can be made available as privileged APIs. If you've an interest in seeing a particular API made available, please provide feedback on the dev-webapps mailing list.

A certified app is one that makes used of certified APIs, APIs that offer access to critical system function such as the default dialer or the system settings app on a device. Compared to to a privileged app, all API permissions in a certified app are implicit, meaning they are enabled without explicit user approval. A certified app must be approved for a device by the OEM or carrier.

To specify that an app is a certified app, add the type field to its manifest.webapp file and set it to certified. Every privileged and certified API your app needs to access must be added to the permissions field in the app's manifest.

This has the effect of implementing stricter rules for inline CSP for certified compared to privileged apps. If you want to understand the reasoning behind this, see Default CSP policy and Bug 768029.

Certified apps are preloaded onto devices by OEMs and operators.

Testing packaged apps

To install a packaged app into a Firefox OS Simulator or onto a device for testing purposes, see Using the App Manager. Alternatively, you can install it on to a device from a Web server by following the steps described in Publishing apps yourself. Remember that when you publish apps yourself, packaged web apps only can be installed .

Publishing packaged apps

You have two options for publishing packaged apps: on Firefox Marketplace or self-publishing.

Publishing on Firefox Marketplace

The process for submitting a packaged app to Firefox Marketplace is described in the App Publishing section.

When you submit your packaged app, its zip file is stored on the Marketplace servers, and the Marketplace generates a new manifest called the mini-manifest that is based on the app manifest in your packaged app's zip file. When a user installs your app, the mini-manifest is passed to the Apps.installPackage() function to install the app. The mini-manifest exists for installation and update purposes and isn't used when your app runs.